JavaScript is disabled for your browser. Some features of this site may not work without it.

The Public Health Information Infrastructure: A National Review of the Law on Health Information Privacy

Author

Gostin, Lawrence O.

Lazzarini, Zita

Neslund, Verla S.

Osterholm, Michael T.

Bibliographic Citation

JAMA. 1996 Jun 26; 275(24): 1921-1927.

Abstract

Our objectives were to review and analyze the laws in the 50 states, the District of Columbia, and Puerto Rico that regulate the acquisition, storage, and use of public health data and to offer proposals for reform of the laws on public health information privacy. Virtually all states reported some statutory protection for governmentally maintained health data for public health information in general (49 states), communicable diseases (42 states), and sexually transmitted diseases (43 states). State statutes permitted disclosure of data for statistical purposes (42 states), contact tracing (39 states), epidemiologic investigations (22 states), and subpoena or court order (14 states). The survey revealed significant problems that affect both the development of fair and effective public health information systems and the protection of privacy. Statutes may be silent about the degree of privacy protection afforded, confer weaker privacy protection to certain kinds of information, or grant health officials broad discretion to disseminate personal information. Our proposals for law reform are based on a meeting of experts at the Carter Presidential Center under the auspices of the Centers for Disease Control and Prevention and the Council of State and Territorial Epidemiologists: (1) an independent data protection commission should be established, (2) health authorities should justify the collection of personally identifiable information, (3) subjects should be given basic information about data practices, (4) data should be held and used in accordance with fair information practices, (5) legally binding privacy and security assurances should attach to identifiable health information with significant penalties for breach of these assurances, (6) disclosure of data should be made only for purposes consistent with the original collection, and (7) secondary uses beyond those originally intended by the data collector should be permitted only with informed consent.